May 2026 Linux and cPanel CVE Storm: What to Patch Now

May 2026 Has Been an Unusually Bad Month for Server Security

Three high-severity Linux kernel privilege escalation vulnerabilities were disclosed within eight days of each other, and a critical cPanel authentication bypass has been under active exploitation since February — with over 1.5 million internet-exposed servers in scope. If you manage Linux or cPanel infrastructure and have not reviewed your patch status in the past two weeks, stop and do it now.

This post covers all four CVEs, what each one does, and the exact steps to remediate each one.

CVE-2026-41940 — cPanel & WHM Authentication Bypass (CVSS 9.8)

Disclosed: April 28, 2026 Actively exploited since: approximately February 23, 2026 — a true zero-day for roughly two months before the public patch Affects: cPanel & WHM all versions after 11.40, WP Squared before 136.1.7 Patched in: 11.136.0.5, 11.134.0.20, 11.132.0.29, 11.126.0.54, 11.118.0.63, 11.110.0.97

What it does

The vulnerability chains two weaknesses in cPanel's session handling. An attacker omits an expected segment from the whostmgrsession cookie, which triggers an encryption-skip in the session reader. A malicious Authorization header containing raw CRLF characters is then used to inject arbitrary key-value pairs — user=root, hasroot=1, tfa_verified=1 — directly into the session file on disk. When cPanel's cpsrvd daemon re-parses that file, the injected lines are treated as legitimate session properties, and the authentication check returns AUTH_OK without verifying a password or two-factor token.

The result is unauthenticated root-level access to the cPanel and WHM interfaces. No credentials required.

Who is exploiting it

The threat actor group Mr_Rot13 has been attributed to widespread exploitation. Their attack chain drops a Python-based webshell codenamed Filemanager, deploys a custom Go-based payload infector, modifies the root system password, and implants attacker-controlled SSH public keys — establishing persistence that survives a cPanel update if not caught in time. Cryptocurrency mining, ransomware staging, backdoor implantation, and credential harvesting have all been observed as post-exploitation activity.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1, 2026, with a remediation deadline of May 3, 2026 for federal agencies.

What to do

# 1. Force-update cPanel immediately
/scripts/upcp --force

# 2. Confirm the patched build version
cat /usr/local/cpanel/version

# 3. Run cPanel's official compromise detection script
/usr/local/cpanel/scripts/check_cpanel_rpms --fix

# 4. Search access logs for exploitation indicators
# Look for requests with both cp_security_token and method=badpass
grep -i "cp_security_token" /usr/local/cpanel/logs/access_log | grep "badpass"

# 5. Block WHM/cPanel ports at the firewall if not yet restricted
# Port 2083 = cPanel SSL, Port 2087 = WHM SSL
ufw deny 2083 && ufw deny 2087   # allow from trusted IPs only

After patching, rotate all cPanel and WHM credentials. If you find indicators of compromise, treat the server as fully compromised — rebuild rather than clean.

CVE-2026-31431 — Copy Fail (Linux Kernel LPE, CVSS 7.8)

Disclosed: April 29, 2026 Affects: All Linux distributions shipping kernels from 2017 to the April 2026 patch Exploited in the wild: confirmed

Copy Fail is a deterministic local privilege escalation in the kernel's algif_aead crypto module. A 732-byte exploit script escalates any unprivileged local account to root in seconds — no race condition, no per-target tuning. Container environments face an additional container escape risk.

# Patch (requires reboot)
apt update && apt upgrade && reboot

# Interim mitigation — disable the affected kernel module
sudo modprobe -r algif_aead

For the full technical breakdown, exploit mechanics, and fleet-wide verification steps, see our dedicated Copy Fail analysis.

CVE-2026-43284 / CVE-2026-43500 — Dirty Frag (Linux Kernel LPE, CVSS 8.8 / 7.8)

Disclosed: May 7, 2026 Affects: All Linux distributions with kernels from June 2023 onward Exploited in the wild: in-the-wild activity confirmed by Microsoft Defender telemetry

Dirty Frag expands the attack surface opened by Copy Fail. Two CVEs, same root cause: the kernel performs in-place decryption into pages it does not own, allowing an unprivileged user to overwrite cached binaries in memory. CVE-2026-43284 targets the esp4/esp6 IPsec modules; CVE-2026-43500 targets the rxrpc module, which ships enabled by default on far more systems.

# Patch (requires reboot)
apt update && apt upgrade && reboot

# Interim mitigation — disable affected modules
# WARNING: disabling esp4/esp6 will break IPsec VPNs — evaluate before applying
sudo modprobe -r rxrpc
sudo modprobe -r esp4 esp6

For the full technical breakdown including the exploit step-by-step and verification commands, see our dedicated Dirty Frag analysis.

The Bigger Pattern: Is AI Finding All of This?

Copy Fail and Dirty Frag appeared eight days apart, both exploiting the same class of kernel defect: in-place cryptographic operations on memory the kernel does not own. This is not coincidence — and the security community is actively debating what it actually is.

What we know for certain: Copy Fail (CVE-2026-31431) was discovered by researcher Taeyang Lee at Theori using their AI-assisted security scanning tool, Xint Code. This is publicly attributed. The tool identified a nine-year-old code pattern across the Linux kernel that human auditors had reviewed many times and missed. Dirty Frag followed eight days later targeting the same class of bug in different modules. Whether Dirty Frag was found independently or through the same or similar tooling has not been officially stated — but the timing and the structural similarity are not lost on anyone.

On April 7, 2026 — three weeks before these disclosures — Anthropic announced Project Glasswing and previewed a model called Claude Mythos, which the company claimed had already identified thousands of zero-day vulnerabilities across every major operating system and web browser. Rather than a public release, access was funnelled to a closed coalition of partners including AWS, Microsoft, Google, Cisco, CrowdStrike, and the Linux Foundation. The security community's reaction was a documented mix of awe, concern, and unease. Not everyone is convinced that concentrating that capability in a small consortium is the right answer.

The broader data tells the same story. CVE disclosure volumes are up sharply across the industry year-to-date: Chrome is up 563%, GitHub up 476%, VMware up 181%, Apache up 170%. VulnCheck, which tracks these trends, estimates the throughput multiplier for AI-assisted discovery at somewhere between 10x and 100x for the categories of bugs AI handles best — memory safety issues, logic flaws, and pattern-based code analysis. The Linux kernel's in-place crypto path is exactly the kind of target that fits.

There is an ongoing debate in the security research community about what this means structurally. AI-driven discovery finds entire classes of bugs rather than individual issues. A researcher who finds one instance now has a tool that searches the full codebase for the same pattern in hours. Coordinated disclosure pipelines — already strained — are not built for this volume. The Dirty Frag embargo broke two days early when a working exploit leaked before the planned May 12, 2026 disclosure date. That kind of pressure will only increase.

Whether you believe this is an organic acceleration of research capability, a coordinated effort by well-resourced actors, or something in between, the operational consequence for server administrators is the same: patch windows that used to be measured in weeks are now measured in days. A CVE disclosed on Monday with a public exploit by Wednesday is no longer unusual. Scheduled maintenance windows are no longer a sufficient response model for kernel or authentication-layer vulnerabilities.

Checklist: Are You Exposed?

If any of these checks fail, stop reading and patch now.

Our team handles CVE remediation across production Linux and cPanel infrastructure as part of our managed security and compliance service. If you are not sure whether your servers are patched or want an independent review of your patch process, get in touch.